[Distutils] does pypi or red-dove have a better firehose API than "download all the packages"?
holger krekel
holger at merlinux.eu
Fri May 24 15:54:05 CEST 2013
On Fri, May 24, 2013 at 07:20 -0400, Donald Stufft wrote:
> On May 24, 2013, at 7:17 AM, Vinay Sajip <vinay_sajip at yahoo.co.uk> wrote:
>
> >> From: holger krekel <holger at merlinux.eu>
> >
> >
> >>
> >> Nice. How do you actually get at the dependencies? Don't you
> >> need to execute setup.py for that?
> >>
> >
> > Yes, that's how it's done. However, the idea is to do it once per uploaded release and remember the results, so an installer tool like pip doesn't have to download and run setup.py every time :-)
>
> So what you're saying is I can root your machine with a setup.py? ;)
That's the immediate risk, indeed :) However, i guess one could use a VM
with a chroot and a dedicated user and timeout the setup after 20 seconds
or so to regain some safety. It's a bit horrible but OTOH i'd really
like to have this information (especially the deps) without requiring
everybody to switch to a new packaging format first.
holger
More information about the Distutils-SIG
mailing list